Researchers have discovered a series of vulnerabilities in Saflok-brand RFID-based keycard locks, exposing millions of hotel rooms worldwide to potential cyber compromise. These locks, which have been in use for 36 years, are installed on over 3 million doors across 13,000 hotels in 131 countries. 

The vulnerabilities allow hackers to unlock the doors using a customized keycard. Although a patch has been rolled out, only 36% of affected locks have been updated or replaced so far.

This security issue poses a significant challenge for the hotel industry, as hotels often house important individuals and store sensitive guest data. Nation-backed threat actors are known to target hotels for cyber-espionage purposes, aiming to steal information about influential people. Additionally, hotels attached to gaming facilities face the risk of financial losses.

The exploit to break into hotel rooms requires a keycard from the targeted property, two MIFARE Classic keycards, and a device capable of writing to the keycards. The attack involves recording a code from the hotel card, overwriting data on a Saflok lock using a custom card, and then using another custom card to unlock the door. Upgrading the affected locks is a time-consuming process that involves software updates, lock replacements, reissuing keycards, and upgrading third-party integrations.

This vulnerability is not the first of its kind, as similar methods to unlock electronic locks have been demonstrated in the past. Hoteliers employ various means to protect guests, including physical security measures and integrating security detection into building automation management systems. However, securing hotel locks beyond these measures can be challenging, with multifactor authentication and biometric locks presenting their own risks and regulatory issues.